In The Wild: Mobile Security Observations from the Check Point Research Team

Special thanks to malware analysts Nikita Kazymirsky and Hod Gavriel who contributed to this blog post.

Mobile malware learns fast. Many times, these malwares imitate behaviors and trends first seen in the PC world. However, mobile users are much less aware of mobile malware than PC malware. This allows mobile malware to gain momentum and to achieve its malicious intent. This week we saw mobile malware that successfully implemented techniques that up until now had been seen almost exclusively in the PC world.

DataLust Android Malware Joins the Ransomware Mayhem

Ransomware is a growing phenomenon all over the world, as in Kentucky where another hospital has been taken hostage. But ransomware is a problem for mobile users too, like DataLust which targets user of porn apps. This ransomware chooses whether to encrypt the victim’s device depending on the language of the device on which it’s running.

If the language fits the malware’s requirements, it encrypts all of the data on the device and locks it. Then the ransomware shows the user its ransom demand which today stands at 1,000 rubles or roughly $15USD. This might seem like a small sum, but previously discovered mobile ransomware raised its prices when targeting Western Europe and the US.

There are two interesting factors in this new malware. First is the mobile aspect of ransomware. This could be an early bird of what will become a raging plague for mobile devices, just as it is in the PC world today. Second is the extent of the encryption. Due to Android sandboxing, the malware can’t just access any memory partition it wants. But it can access the SD card using the appropriate Android permission.

In the future, we expect to see Android ransomware leveraging privilege escalation capabilities to inflict the same damage all over the device.

Flash Banker Targets Australia, New Zealand, And… Turkey!

A relatively new Banker malware is disguising itself as a Flash player and is spread by phishing attacks. Once installed on a device, Flash Banker uses social engineering to persuade users to grant it elevated privileges using a device admin mechanism commonly abused by malware.

To activate, the Flash Banker checks whether one of its targeted bank applications is even installed on the device. If it is, it initiates a screen overlay of the login page and locks the device until the user enters login credentials. Flash banker is even able to overcome 2 Factor Authentication (2FA), as we have seen previous bankers do.

Out of 14 C&C servers we detected, which are also related to additional attacks we have seen in the past, three are still active. When we requested the IP address the answer came in Russian:

We managed to take a deeper look at the attacker’s control panel:

We can see devices that had been attacked and that had their 2FA bypassed.

Click to enlarge.

In addition, the C&C server contains a script which allows the attacker to regenerate a new sample each time he attacks. The targeted banks list can be updated, and additional targets could be added easily. All the attacker needs to do is to define the target package name and create matching fake login pages.

The fact that the C&C admin interface communicates in Russian, and the targeted banks greatly vary, indicates this might be a case of banker malware as a service, created by Russian developer and sold to cyber criminals. A similar case has recently occurred with the new version infamous GMbot Android banker malware.

Another Crack in the iOS Garden Wall

It seems that, more and more, different applications manage to bypass Apple’s security measures successfully. Each instance uses a different method to do so, emphasizing how crucial it is for users not to rely on Apple’s protections alone. This time, an app called AceDeceiver used a previously unknown flaw in Apple’s DRM mechanism to install third-party applications on devices, an attack vector known as a FairPlay Man-in-the-Middle (MitM) attack.

This vector allows attackers to purchase an app from the official app store and then to save the app’s authorization code needed to run apps on an iOS device in order to abuse it later. The attacker can then distribute third-party apps and use that authorization code to trick iOS into believing it is a legitimate app, purchased through the App Store.

AceDeceiver managed to fool Apple’s code review by adjusting its behavior according to its geographical location, acting on its true objectives only when located in China. When installed, AceDeceiver allows third-party applications to be installed on devices without any need for user approval as in previous attack vectors. This is extremely dangerous for users since it can easily install malware without their notice.

Long Story Short: You’re Gonna Need a Bigger Wall

To stay protected, Apple users must use additional protective measures. The days in which the official App Store was a clean and safe environment are long gone. The new threats require appropriate and adequate security measures that protect devices against all threats, known and unknown, including zero-day malware.

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.